[keycloak-user] Keycloak Roles and Usergroups
Dmitry Telegin
dt at acutus.pro
Sun Jul 22 21:18:26 EDT 2018
Hi Max,
On Thu, 2018-07-19 at 14:37 +0000, Max Bruchmann wrote:
> Hi Dmitry,
>
> do you know if there is any way to retrieve the group context of a
> role?
Could you please elaborate on the "group context of a role"? In
Keycloak, roles are not related to groups (however a group can
reference roles to be automatically assigned to group members).
>
> My use case would be that I have multiple sport clubs (group) with
> multiple teams (subgroup)
>
> -club1
>
> --team1_1
>
> --team1_2
>
> -club2
>
> --team2_1
>
> --team2_1
>
>
> I have for example the role COACH but of course this role makes only
> sense in context of the team.
I agree with that, but what's the (bigger) problem you're trying to
solve?
I'd imagine that you want to grant coaches some privileged access to the players' data; the coach should manage only the team he is assigned to. If that's what you're trying to do, I'd suggest the following:
- create the "coach" role;
- grant this role to all coaches;
- put your coaches into the corresponding groups (teams);
- use fine-grained permissions to implement access rules (grant access to the players' data if the requester has the "coach" role and belongs to the same group as the player).
Hope it helps,
Dmitry Telegin
CTO, Acutus s.r.o.
Keycloak Consulting and Training
Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
+42 (022) 888-30-71
E-mail: info at acutus.pro
>
> As far as I understand keycloak this is currently not possible
>
>
> Kind Regards,
>
> Max
>
>
> Am 10.07.18 um 14:58 schrieb Dmitry Telegin:
> > Hi Vinay,
> >
> > From my experience, I'd tell that:
> > - roles are more likely to reflect person's functions in the
> > organization;
> > - groups are more likely to reflect organizational structure.
> >
> > For example, if there are offices and departments (like "NY
> > Office",
> > "IT Department"), that would normally map to nested groups.
> >
> > On the other hand, business functions would rather map to roles
> > (like
> > "managers", "developers", "sysadmins" etc.)
> >
> > There's also a number of technical differences:
> > - akin to nested groups, there are composite roles. However, the
> > logic
> > is different: if you grant a composite role to a user, every child
> > role
> > would be granted, too (which is not true for groups);
> > - you can assign a role to a group (not vice versa);
> > - by default, Keycloak adapters can restrict access based on roles
> > only. If you want to use groups for the same, you'll need to turn
> > on
> > authorization services and create corresponding policies.
> >
> > Could you please elaborate on your particular use case? If you
> > describe
> > it briefly, I think we'll be able decide what's better for you.
> >
> > Dmitry Telegin
> > CTO, Acutus s.r.o.
> > Keycloak Consulting and Training
> >
> > Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
> > +42 (022) 888-30-71
> > E-mail: info at acutus.pro
> >
> > On Mon, 2018-07-09 at 12:39 -0400, Vinay wrote:
> > > What is a difference between keycloak roles and usergroups ? are
> > > they
> > > interchangeable i.e. can we use roles instead of groups or vice
> > > versa
> > > to
> > > address a problem ? Is it possible to have roles within roles,
> > > just
> > > like
> > > groups ?
> > > A clear guidelines on how to use groups and roles will help.
> > >
> > > thanks
> > > /Vinay
> > > _______________________________________________
> > > keycloak-user mailing list
> > > keycloak-user at lists.jboss.org
> > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
More information about the keycloak-user
mailing list